[strongSwan] Tunnels with dynamic IP and another route issue

Dusan Ilic dusan at comhem.se
Sat Apr 29 14:29:15 CEST 2017


For the Fortigate connection if I add in both locla and remote ID, 
instead of only remote ID, i get the following:

authentication of '85.230.x.x' with pre-shared key successful
constraint check failed: identity 'remote.example' required
selected peer config 'site2site' inacceptable: constraint checking failed
no alternative config found

Only remote ID as you suggested

parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ]
no shared key found for 'local.example' - '85.230.x.x'
generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]


Den 2017-04-29 kl. 13:26, skrev Dusan Ilic:
>
> no shared key found for 'local.example' - '137.135.x.x'
> generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
>
> The remote side is a Fortigate firewall, so I can't configure it the 
> same. I can just choose local interface (ie wan) and remote gateway IP 
> or Dynamic DNS, I have chosen Dynamic DNS.
> It logs "peer SA proposal not match local policy".
>
> If I change to IP adresses it works, but that won't work for very long 
> unfortunately.
>
>
> Den 2017-04-29 kl. 02:49, skrev Noel Kuntze:
>> Hello Dusan,
>>
>> On 29.04.2017 02:25, Dusan Ilic wrote:
>>> Hi Noel,
>>>
>>> Okey, if I don't set "left" and initiate the connection it takes the wrong route (multiple WAN-interfaces) and the remote peer don't expect that source IP. Probably works better if the remote peer is initiating connection instead.
>>>
>>> If I set "left=%local.example" and "right" / "rightid" as you suggest I get the following output n logfile:
>>>
>>> Apr 29 00:10:51 R6250 daemon.info charon: 10[IKE] tried 1 shared key for 'local.example' - '137.135.x.x', but MAC mismatched
>>> Apr 29 00:10:51 R6250 daemon.info charon: 10[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
>>>
>>> If i fiddle in ipsec.secrets a bit, i get this instead:
>>>
>>> authentication of '137.135.x.x' with pre-shared key successful
>>> constraint check failed: identity 'remote.example' required
>>> selected peer config 'site2site' inacceptable: constraint checking failed
>>> no alternative config found
>>>
>> Alright. Try the following
>> left=%local.example
>> leftid=local.example
>> right=%remote.example
>> rightid=remote.example
>>
>> remote.example : PSK "PSKGOESHERE"
>>
>> Do it vice versa on the remote peer.
>>
>> Kind regards,
>> Noel
>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170429/147f7005/attachment.html>


More information about the Users mailing list